Pearson has agreed to pay $1m to settle charges from US securities regulators that it knowingly misled investors and downplayed the severity of a 2018 cyber attack that exposed the personal information of millions of students.
The Securities and Exchange Commission said that the UK educational publishing company reported the breach as “hypothetical risk” in its semi-annual report in 2019 when it had “already occurred” in 2018.
It added that Pearson claimed the breach of 13,000 school, district and university customer accounts “may” have included dates of birth and email addresses when in fact it knew that this was the case. It also failed to state that millions of rows of student data, usernames and hashed passwords were stolen.
The FTSE 100 group claimed to have “strict protections” in place for its systems, but had failed to patch the critical vulnerability that hackers used to get into its systems until six months after it was notified, the commission said. The SEC also criticised Pearson’s internal processes for handling disclosure as lacking.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit.
“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
The $1m settlement comes as US intelligence agencies such as the FBI have called for more mandatory disclosure rules around incidents after a wave of crippling cyber attacks this year, particularly from criminal ransomware groups. Many companies are reluctant to disclose details of attacks over reputational and legal concerns, although they might be compelled to do so under SEC rules in the US if an incident is deemed material, or under other privacy regulations.
Pearson said it was “pleased to resolve this matter with the SEC”, adding: “We also appreciate the work of the FBI and the Justice Department to identify and charge those responsible for a global cyber attack that affected Pearson and many other companies and industries, including at least one government agency.”
Last year, trade publication EdWeek Market Brief reported that Pearson had confirmed that it was the victim of a sprawling campaign by two Chinese state-backed hackers targeting western research and intellectual property, including, most recently, coronavirus research. The two hackers were charged in July 2020 by the US justice department.
Pearson declined to comment on whether it was referring in its statement to the Chinese campaign or to confirm the Ed Week Market Brief article.